9 most common types of online payment fraud - and solutions to prevent them

E-commerce has revolutionised how we transact. However, alongside the benefits of digital payments come significant risks. One of the biggest threats is payment fraud.

According to Juniper Research, losses from online payment fraud could exceed $362 billion globally by 2028. In the UK alone, total payment fraud losses reached £1.17 billion in 2024 .

Every fraudulent transaction costs merchants far more than the transaction value itself. Beyond the immediate financial loss, businesses face chargeback fees, administrative costs, damaged customer relationships, and the risk of losing payment processing capabilities entirely. For many merchants, payment fraud represents a constant battle that directly impacts profitability and growth.

The good news? Modern fraud prevention technologies , combined with operational best practices, can detect and block 97%+ of fraudulent transactions while maintaining seamless experiences for legitimate customers.

Whether you're an e-commerce retailer fighting chargeback fraud, a travel merchant dealing with booking scams, or a digital goods provider battling account takeovers, this guide provides insights into the 9 most common types of payment fraud targeting businesses today, the warning signs to watch for, and the proven strategies to help keep your business protected.

One common strategy fraudsters deploy is identity theft. Fraudsters steal consumer data by impersonating legitimate websites or using phishing attacks to harvest sensitive information.

Identity fraud cases in the UK reached 249,417 in 2025 - a 5% increase from the previous year , representing 59% of all fraud cases filed to the National Fraud Database. And 86% of identity fraud is now committed through online channels.

Phishing attacks, which use social engineering to trick people into sharing sensitive information such as their names, emails, contact numbers, and payment information, surged dramatically after the launch of generative AI tools like ChatGPT, making it easier for fraudsters to create convincing impersonation attempts at scale.

E-commerce companies can help their customers by constantly reminding them of official channels, websites, and payment platforms. Make them aware of any fake websites that might try to take their information.

Consumers should also check websites before passing on any sensitive information like bank details, credit cards, and online wallets by keeping an eye out for missing trust signals and suspicious URLs that might not have the same name as the original site.

Friendly fraud represents one of the most significant challenges facing online merchants today. 72% of merchants reported an increase in friendly fraud chargebacks in 2024.

Friendly fraud occurs when a customer disputes a genuine transaction, either mistakenly or intentionally. This may be due to the customer forgetting that they made the purchase, or their payment details may have unknowingly been used by a household member or friend. These disputes, although invalid, are often made without any malicious intent. Unfortunately, some instances of friendly fraud occur knowingly when a customer changes their mind about a purchase or tries to recover the funds without returning the item.

Cardholders are only supposed to dispute a charge for a limited number of reasons, but in reality, many people use it as a quick fix for everyday issues. Friendly fraud is the leading cause of chargebacks, accounting for 45% of cases . The financial impact is significant: merchants not only lose the original sale value and merchandise but also face chargeback fees averaging £20-30 per incident, plus the administrative costs of disputing invalid claims.

Common scenarios include customers who don't recognise a charge on their bank statement and opt to dispute it rather than investigate further. This could simply mean they made the purchase and forgot about it, or it could be that the name of the business wasn't recognised.

Delivery problems also frequently lead to friendly fraud. If an item never arrives, or takes longer than expected, the customer might assume that it's been lost and request a chargeback. This is particularly common when customers aren't given clear delivery details, can't contact the business easily, or weren't provided with order status updates.

When customers want to avoid the returns process, chargebacks are often used as an easy way to get out of processing a return, especially if a customer is unhappy with an item they purchased or finds the business's returns policy complex or difficult to understand.

Prevention of friendly fraud requires a multi-layered approach that combines clear communication, robust documentation, and proactive customer service.

Start by using a clear billing descriptor that ensures your business name on bank and credit card statements is immediately recognisable to customers. Include your website or customer service number in the descriptor when possible to help customers identify the charge without resorting to a dispute.

Provide excellent communication throughout the customer journey. Send immediate order confirmations with clear transaction details, provide tracking information for all shipments, and set realistic delivery expectations. Proactive updates about order status significantly reduce disputes arising from delivery concerns. Make your returns policy transparent by displaying it prominently on product pages and at checkout, and ensure the process is straightforward and customer-friendly, as a complicated returns process often drives customers to initiate chargebacks instead of following proper procedures.

Documentation is crucial when fighting invalid chargebacks. Maintain detailed records of all transactions, including timestamps, IP addresses, delivery confirmations, and customer communications. This evidence is essential when disputing fraudulent claims. Use tools like delivery confirmation with signature requirements for high-value items to provide irrefutable proof of delivery.

Respond quickly to customer enquiries, as many chargebacks can be prevented if customers can easily reach you with concerns. Offer multiple contact channels and respond promptly to delivery or product queries before they escalate to disputes. Deploy chargeback alerts that notify you immediately when a chargeback is filed, giving you the opportunity to refund the transaction before it becomes a chargeback, saving you the chargeback fee and protecting your merchant account standing.

Partner with fraud prevention services that offer chargeback management tools, including automated evidence gathering, representment services, and analytics to identify patterns in friendly fraud.

As well as chargebacks, fraudsters also use refund options as a form of online payment fraud. In these cases, they will place an order and then prompt for a refund once fulfilled.

According to the National Retail Federation (NRF) , total retail returns reached £890 billion in 2024, representing 16.9% of retail sales. For 2025, the NRF projects approximately 9% (around £76.5 billion) of returns will be fraudulent.

Retailers tracking fraud incidents noted year-over-year increases in overstated quantity of returns (71%), empty box returns (65%), and decoy returns where counterfeit items are returned instead of genuine products (64%).

Combat refund fraud by publishing a clear, strict returns policy on your website.

Without a clear return policy, companies put their customer service staff in a tight spot when a dispute arises, which pressures them to process unauthorised returns or refunds. Always demand a receipt and proof of return of the product before issuing any refunds. You can also consider placing restocking fees for high-value products or those that can be difficult to ship.

Deploy fraud detection tools that can identify suspicious return patterns, such as multiple returns from the same customer, returns without proof of purchase, or serial returners. Monitor for wardrobing, where customers purchase items, use them, and return them, which accounts for an estimated 60% of fraudulent returns .

When scammers perform a business email compromise, they lure a company's staff to initiate a transfer to the fraudulent person's account by impersonating a senior employee with a fake business email.

Another similar malicious practice is invoice redirection. Fraudsters use social engineering to alter payment information on legitimate payable accounts, often impersonating a supplier asking for invoice fulfilment and providing the scammer’s bank details instead of the original supplier. One specific instance might be if a scammer impersonates a supplier of raw materials and emails a billing statement with the fraudster’s bank details, asking for the invoice's immediate settlement.

Companies can curb this trend by training staff to spot phishing attempts and verifying unusual requests via a secondary channel (e.g., a phone call), restructuring controls, and using centralised finance apps. Flagging protocols can automatically block any incoming emails or messages from fraudulent accounts, whilst companies can also apply new data and technologies like voice analytics.

Implement dual authorisation workflows for any payment changes or high-value transactions. Establish verification protocols that require confirmation through a separate communication channel, such as calling a known phone number, before processing any invoice changes or unusual payment requests, even if they appear to come from known executives.

Payment interception, or 'man-in-the-middle' fraud, occurs when hackers hijack the payment process. They may impersonate support staff on social media or direct customers to fake payment pages.

As instant payment adoption accelerates, fraudsters are increasingly exploiting these faster rails. Real-time payments provide little time to detect and block fraudulent transactions once initiated. Authorised push payment (APP) fraud, where victims are tricked into authorising legitimate payment transactions to fraudsters, has become a significant concern.

According to UK Finance's Half Year Fraud Report 2025 , APP fraud losses reached £257.5 million in the first half of 2025 - a 12% increase from the same period in 2024. Investment scams accounted for £97.7 million (up 55%), whilst purchase scams represented 72% of all APP fraud cases by volume.

The UK Payment Systems Regulator's APP Scams Reimbursement Dashboard reports that since new mandatory reimbursement rules were introduced in October 2024, 88% of in-scope APP fraud losses have been reimbursed to victims.

Payment interception can be very tricky to spot. Fraud detection in this category involves carefully studying a payment page before making any payments. Avoid using any payment option that doesn't allow for disputes or refunds. Use legitimate payment gateways that offer money-back guarantees to ensure safety.

For businesses, implement transaction velocity limits, require step-up authentication for unusual payment amounts or destinations, and educate customers about the risks of APP fraud. Make it clear that your company will never ask customers to move conversations to unofficial channels or request payments through unsolicited links.

Password and code hacking have become more sophisticated over the years. Scammers and phishers deploy dozens of strategies to capture personal information and credentials. With 60% of millennials, 57% of Generation Z and 52% of Generation X primarily using mobile banking apps , young users are particularly vulnerable. But that doesn’t mean everyone else is safe.

Despite increased awareness, 62% of consumers still reuse passwords across multiple sites, whilst 52% of login attempts involve previously leaked credentials . SIM swap attacks, where fraudsters take over mobile phone numbers to intercept two-factor authentication codes, have also risen significantly, with some reports showing increases of over 1,000% year-on-year .

One of the best e-commerce fraud prevention practices to avoid password or code hacking is always to encourage customers to use a secure password, meaning it contains a long string of characters, numbers, and symbols. Consumers should be advised of the importance of not using the same password for multiple sites and using a secure password manager.

Implement multi-factor authentication for all accounts, not just at login, but for sensitive actions like payment method or address changes. Consider deploying passkeys and biometric authentication options, which are more secure than traditional passwords. It's also important that e-commerce websites play their part by using a payment partner that adheres to the strictest data security standards, including PCI DSS Level 1 certification and Strong Customer Authentication (SCA) under PSD2.

Some malicious fraudsters will try to completely take over an e-commerce store by hacking it through a plugin or app inside the store. Some hackers are known to take over WooCommerce accounts and Shopify stores using a fake or outdated plugin, which they use to access company credentials and information.

In these cases, fraudsters might change payment credentials, bank details or card information to redirect all online payments to a fraudulent account instead of the e-commerce store's official account. E-commerce platform vulnerabilities remain a significant threat, with security researchers identifying numerous plugins and third-party integrations as common attack vectors for store takeovers.

If you're a store owner, try using an up-to-date security plugin like WordFence to protect your account from takeovers. Perform regular audits of your apps and plugins, and regularly change access information to avoid hacking or store takeovers.

Implement a Web Application Firewall (WAF), conduct regular security audits and penetration testing, and ensure all software is kept up to date with the latest security patches. Consider using hosted payment pages that isolate payment processing from your main website, reducing your PCI DSS compliance scope whilst enhancing security. Maintain strict access controls with role-based permissions, and monitor for unauthorised changes to payment configurations or bank details.

Account takeover (ATO) occurs when fraudsters gain unauthorised access to legitimate customer accounts using stolen credentials, phishing, or brute-force attacks. Once inside, they can make fraudulent purchases, drain stored payment methods, steal loyalty points, or change account details to lock out the legitimate owner.

Facility and account takeover fraud increased by 76% in 2024 , with mobile account takeovers now more prevalent than traditional impersonation. In addition, 83% of organisations were hit by at least one ATO attack in 2024, with 26% facing an attack every single week.

The sophistication of ATO attacks has increased dramatically, with fraudsters using AI to automate credential stuffing, testing stolen username and password combinations at scale across multiple platforms. Once an account is compromised, fraudsters often move quickly, making it critical for businesses to detect and respond to suspicious activity in real-time.

For businesses, implement robust authentication measures. Deploy behavioural analytics and device fingerprinting to identify suspicious login patterns, such as logins from new locations, devices, or at unusual times.

Monitor for credential stuffing attacks, where fraudsters test stolen username and password combinations at scale. Implement rate limiting, CAPTCHA challenges, and IP reputation checking to mitigate automated attacks. Use anomaly detection to identify accounts exhibiting unusual behaviour, such as sudden changes to contact information followed by high-value purchases.

Encourage your customer to use unique passwords, enable all available security features like biometric authentication, and monitor account activity regularly for unauthorised transactions. Educate them on the risks of phishing attempts designed to steal login credentials, and make sure they know never to share verification codes or passwords with anyone claiming to be from your customer support.

Artificial intelligence has become the most transformative force in payment fraud, with over 50% of fraud now involving AI tools . Fraudsters are leveraging generative AI to create convincing phishing emails, impersonate company executives via deepfake video and voice, generate fake identity documents, and automate account creation at scale. Unfortunately, generative AI tools are becoming so advanced that it is now almost impossible for employees to determine what is legitimate - and what isn’t.

AI-enabled threats as a consistent driver of sophisticated fraud, with synthetic identities and forged documents increasingly bypassing traditional verification systems. Criminals are using AI to generate fake identities and forge documents that can bypass onboarding systems, as well as to deploy other fraud tactics like business email compromise attacks at scale.

Deepfake technology enables fraudsters to impersonate CEOs in video calls requesting urgent wire transfers, create synthetic identities that pass traditional verification checks, and generate thousands of convincing phishing attempts personalised to individual targets.

Combat AI threats by deploying AI-driven detection tools that spot subtle anomalies in real-time.

Implement AI-powered transaction monitoring that can identify subtle anomalies in payment patterns, use liveness detection for identity verification (requiring real-time interaction rather than static images), and deploy deepfake detection tools for video authentication.

Establish out-of-band verification protocols for high-value or unusual requests, even if they appear to come from known executives via video. This means confirming via a separate communication channel, such as calling a known phone number rather than one provided in the suspicious communication. Train staff to recognise AI-generated content and maintain scepticism about urgent payment requests.

From a payment infrastructure perspective, implement transaction velocity limits, require step-up authentication for unusual payment amounts or destinations, and use tokenization to ensure that even if credentials are compromised, payment details remain protected. Regularly update fraud detection models to account for evolving AI tactics, and consider partnering with payment providers that offer advanced machine learning-based risk management.

The overall solution is partnering with payment providers that prioritise security through multi-layered fraud prevention. This includes:

• AI-powered fraud detection with machine learning models that identify suspicious patterns.
• Strong Customer Authentication (SCA) compliant with PSD2 requirements.
• tokenization to protect payment credentials even if systems are breached.
• 3D Secure 2.0 for card-not-present transactions.
• Device fingerprinting and behavioural analytics to identify account takeovers.
• Chargeback management tools to dispute fraudulent claims.
• 24/7 fraud monitoring with real-time transaction analysis.

Despite all the accounts of fraud, phishing, and hacking, it’s hard to deny that digital payments are the future of commerce. Fraudsters will always be present, either in online or offline transactions. Make sure you educate yourself on the future of online payments and start using solutions that provide data security, contingencies, and dispute opportunities.

Ecommpay’s award-winning risk management platform combines advanced technology with expert human oversight to deliver a 97%+ fraud prevention rate. Speak to our experts to find out more.